From owner-svn-ports-all@FreeBSD.ORG Tue Dec 17 08:20:46 2013 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3224D858; Tue, 17 Dec 2013 08:20:46 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1D14D18DA; Tue, 17 Dec 2013 08:20:46 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id rBH8KjKC067672; Tue, 17 Dec 2013 08:20:45 GMT (envelope-from bapt@svn.freebsd.org) Received: (from bapt@localhost) by svn.freebsd.org (8.14.7/8.14.7/Submit) id rBH8KjDk067668; Tue, 17 Dec 2013 08:20:45 GMT (envelope-from bapt@svn.freebsd.org) Message-Id: <201312170820.rBH8KjDk067668@svn.freebsd.org> From: Baptiste Daroussin Date: Tue, 17 Dec 2013 08:20:45 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r336698 - in branches/2014Q1: security/vuxml www/phpmyfaq X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Dec 2013 08:20:46 -0000 Author: bapt Date: Tue Dec 17 08:20:44 2013 New Revision: 336698 URL: http://svnweb.freebsd.org/changeset/ports/336698 Log: MFH: r336678 - update to 2.8.4 - add stage support Security: 3b86583a-66a7-11e3-868f-0025905a4771 Modified: branches/2014Q1/security/vuxml/vuln.xml branches/2014Q1/www/phpmyfaq/Makefile branches/2014Q1/www/phpmyfaq/distinfo branches/2014Q1/www/phpmyfaq/pkg-plist Directory Properties: branches/2014Q1/ (props changed) Modified: branches/2014Q1/security/vuxml/vuln.xml ============================================================================== --- branches/2014Q1/security/vuxml/vuln.xml Tue Dec 17 08:08:59 2013 (r336697) +++ branches/2014Q1/security/vuxml/vuln.xml Tue Dec 17 08:20:44 2013 (r336698) @@ -51,6 +51,36 @@ Note: Please add new entries to the beg --> + + phpmyfaq -- arbitrary PHP code execution vulnerability + + + phpmyfaq + 2.8.4 + + + + +

The phpMyFAQ team reports:

+
Secunia noticed while analysing the advisory that authenticated + users with "Right to add attachments" are able to exploit an already + publicly known issue in the bundled Ajax File Manager of phpMyFAQ version + 2.8.3, which leads to arbitrary PHP code execution for authenticated + users with the permission "Right to add attachments".
+

+ + + + http://www.phpmyfaq.de/advisory_2013-11-26.php + http://en.securitylab.ru/lab/PT-2013-41 + + + 2013-11-26 + 2013-12-16 + + + zabbix -- shell command injection vulnerability Modified: branches/2014Q1/www/phpmyfaq/Makefile ============================================================================== --- branches/2014Q1/www/phpmyfaq/Makefile Tue Dec 17 08:08:59 2013 (r336697) +++ branches/2014Q1/www/phpmyfaq/Makefile Tue Dec 17 08:20:44 2013 (r336698) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= phpmyfaq -PORTVERSION= 2.8.2 +PORTVERSION= 2.8.4 CATEGORIES= www MASTER_SITES= http://www.phpmyfaq.de/download/ @@ -11,20 +11,20 @@ COMMENT= A multilingual, completely data WRKSRC= ${WRKDIR}/${PORTNAME} +NEED_ROOT= yes + USE_PHP= filter json mysql pcre pdf session xml xmlrpc xmlwriter zlib FAQ_DIR= attachments data images inc pdf xml NO_BUILD= YES WANT_PHP_WEB= YES +NO_ARCH= YES -NO_STAGE= yes do-install: - -${MKDIR} ${WWWDIR} - @cd ${WRKSRC} && ${COPYTREE_SHARE} \* ${WWWDIR} + @${MKDIR} ${STAGEDIR}${WWWDIR} + @cd ${WRKSRC} && ${COPYTREE_SHARE} \* ${STAGEDIR}${WWWDIR} .for i in ${FAQ_DIR} - -@${MKDIR} ${WWWDIR}/${i} - @${CHMOD} 777 ${WWWDIR}/${i} + @${MKDIR} ${STAGEDIR}${WWWDIR}/${i} + @${CHOWN} ${WWWOWN}:${WWWGRP} ${STAGEDIR}${WWWDIR}/${i} ${STAGEDIR}${WWWDIR}/config .endfor - @${CHOWN} -R ${WWWOWN}:${WWWGRP} ${WWWDIR} - @${CAT} ${PKGMESSAGE} .include Modified: branches/2014Q1/www/phpmyfaq/distinfo ============================================================================== --- branches/2014Q1/www/phpmyfaq/distinfo Tue Dec 17 08:08:59 2013 (r336697) +++ branches/2014Q1/www/phpmyfaq/distinfo Tue Dec 17 08:20:44 2013 (r336698) @@ -1,2 +1,2 @@ -SHA256 (phpmyfaq-2.8.2.tar.gz) = 2ab6452da45dacd3bd771597671371881a4c9d13352b4c70d608b686779c3db6 -SIZE (phpmyfaq-2.8.2.tar.gz) = 3896352 +SHA256 (phpmyfaq-2.8.4.tar.gz) = da4762ce824a973f0303762e9028ea9c7e1b1b0bc0f7721388046bd1c35b0164 +SIZE (phpmyfaq-2.8.4.tar.gz) = 3903889 Modified: branches/2014Q1/www/phpmyfaq/pkg-plist ============================================================================== --- branches/2014Q1/www/phpmyfaq/pkg-plist Tue Dec 17 08:08:59 2013 (r336697) +++ branches/2014Q1/www/phpmyfaq/pkg-plist Tue Dec 17 08:20:44 2013 (r336698) @@ -1,3 +1,16 @@ +@exec mkdir -p %D/www/phpmyfaq/attachments +@exec mkdir -p %D/www/phpmyfaq/data +@exec mkdir -p %D/www/phpmyfaq/images +@exec mkdir -p %D/www/phpmyfaq/inc +@exec mkdir -p %D/www/phpmyfaq/pdf +@exec mkdir -p %D/www/phpmyfaq/xml +@exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/attachments +@exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/config +@exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/data +@exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/images +@exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/inc +@exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/pdf +@exec chown %%WWWOWN%%:%%WWWGRP%% %D/www/phpmyfaq/xml %%WWWDIR%%/_.htaccess %%WWWDIR%%/_httpd.ini %%WWWDIR%%/_lighttpd.conf @@ -24,6 +37,7 @@ %%WWWDIR%%/admin/assets/font/fontawesome-webfont.svg %%WWWDIR%%/admin/assets/font/fontawesome-webfont.ttf %%WWWDIR%%/admin/assets/font/fontawesome-webfont.woff +%%WWWDIR%%/admin/assets/js/record.js %%WWWDIR%%/admin/assets/js/uploadcheck.js %%WWWDIR%%/admin/assets/js/user.js %%WWWDIR%%/admin/assets/less/style.less @@ -876,6 +890,7 @@ %%WWWDIR%%/assets/template/default/favicon.ico %%WWWDIR%%/assets/template/default/glossary.tpl %%WWWDIR%%/assets/template/default/images/arrow.gif +%%WWWDIR%%/assets/template/default/indexPassword.tpl %%WWWDIR%%/assets/template/default/index.tpl %%WWWDIR%%/assets/template/default/indexLogin.tpl %%WWWDIR%%/assets/template/default/indexMaintenance.tpl @@ -1264,7 +1279,7 @@ @dirrm %%WWWDIR%%/xml @dirrm %%WWWDIR%%/services/twitter @dirrm %%WWWDIR%%/services -@dirrmtry %%WWWDIR%%/pdf +@dirrm %%WWWDIR%%/pdf @dirrm %%WWWDIR%%/multisite @dirrm %%WWWDIR%%/lang @dirrm %%WWWDIR%%/install @@ -1357,16 +1372,16 @@ @dirrm %%WWWDIR%%/inc/PMF/Attachment @dirrm %%WWWDIR%%/inc/PMF @dirrm %%WWWDIR%%/inc -@dirrmtry %%WWWDIR%%/images +@dirrm %%WWWDIR%%/images @dirrm %%WWWDIR%%/feed/topten @dirrm %%WWWDIR%%/feed/openquestions @dirrm %%WWWDIR%%/feed/news @dirrm %%WWWDIR%%/feed/latest @dirrm %%WWWDIR%%/feed/category @dirrm %%WWWDIR%%/feed -@dirrmtry %%WWWDIR%%/data -@dirrmtry %%WWWDIR%%/config -@dirrmtry %%WWWDIR%%/attachments +@dirrm %%WWWDIR%%/data +@dirrm %%WWWDIR%%/config +@dirrm %%WWWDIR%%/attachments @dirrm %%WWWDIR%%/assets/template/default/less @dirrm %%WWWDIR%%/assets/template/default/images @dirrm %%WWWDIR%%/assets/template/default/css